Article

JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Although the detection of firmware attacks has been studied in the recent years[70], most solutions focus on detecting the attack in the network traffic. Detecting an already compromised firmware installed within an embedded device such as a switch or router is still a challenging task[71]. The comparison of the device firmware with a clean image to identify malicious changes has been proposed[72], however extracting the device firmware is not always possible. ...
... The comparison of the device firmware with a clean image to identify malicious changes has been proposed[72], however extracting the device firmware is not always possible. More recently, Guri et al. proposed using the device's JTAG debugging interface to extract the memory for security purposes[71]. Such a method is considered invasive and involves opening the device for physical forensic investigation, and hence it is not a practical scalable solution. ...
Article
In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.
... Software-based detection also suffers from an inherent weakness in that it can be easily bypassed by malware. Static and dynamic detection of a malicious app in a smartphone is known to be a challenging task due to the wide range of code obfuscation and sandbox evasion techniques [43] [44]. Moreover, apps that request access to the magnetic sensor are very common (e.g., for positioning and orientation), and therefore they cannot automatically be classified as malicious. ...
Preprint
In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in airplane mode in order to block any communication with the device. We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. We present technical background, and discuss signal generation, data encoding, and signal reception. We show that the proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).
... Second, as long disabling the IR LEDs is done at the software level (e.g., by changing the default settings), malware can re-enable it again. Even if disabling the IR LEDs is done at the firmware level, the surveillance camera itself may be compromised by malware (e.g., firmware level rootkit [55]) that can override these settings [56] [26] [57] [58]. A less elegant countermeasure against exfiltration attacks is to physically disconnect the camera's IR LEDs, or cover them with black tape which blocks the optical emanation [19]. ...
Preprint
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.
... On rootkit detection from the kernel-level space, JoKER [GPSE15] utilizes the Joint Test Action Group (JTAG) hardware interface for trusted memory to detect rootkits. LKRG is intended to safeguard OS kernel-level integrity against kernel-level rootkits and exploits. ...
Thesis
The Internet of Things is constituted of devices that are exponentially growing in number and in complexity. They utilize a variety of customized software and firmware without consideration of security concerns, making them an appealing target for cybercriminals. Malware detection relying on static and dynamic features still have various difficulties such as packer or obfuscation techniques, or sandbox monitoring can be evaded. Unlike computer systems and servers, embedded cyber physical system may lack resources or accessibility for anti-malware tools. We will present methods that do not require device alteration while they can be deployed independently without any overhead by leveraging electromagnetic emanation over the air. The contributions of this PhD thesis are separated into two different parts. First, we present a novel approach that a malware analyst can use to gather exact information about the type and identity of malware, even in the presence of obfuscation techniques that may hinder analysis. Further we present low-cost ULTRA framework which is the first wave-and-play solution, where one can simply wave a probe over the device to instantly see what rootkit is infected. ULTRA has a specification that facilitates the discovery of rootkits in a system in real-time without the need for device alteration or software requirements by monitoring two distinct types of baits that are capable of exposing the behavior of stealthy rootkits.
... PHYLAX consists of three parts: 1) A reader module to fetch device, process, and applicationspecific parameters such as memory size, memory, or register access rate; 2) an adaptive module that compares the immutable section of the firmware to a baseline model to detect any modification and check for suspicious executable instruction; and 3) a detector module to check violations detected by the adaptive module to generate alerts. Guri et al. (2015) propose a framework, JoKER (JTAG observe Kernel), for detecting stealthy rootkits in the Android OS kernel by using the JTAG interface. The mobile device is halted using JTAG commands, providing read, write, and other debugging functionality to the RAM and Flash memory. ...
Article
Full-text available
In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over Allen-Bradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further research.
... Guri et al. [26] propose a framework, JoKER (JTAG observe Kernel), for detecting stealthy rootkits in the Android OS kernel by using the JTAG interface. The mobile device is halted using JTAG commands, providing read, write, and other debugging functionality to the RAM and Flash memory. ...
Preprint
Full-text available
In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over Allen-Bradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further research.
... The evidence is more likely to exist on memory as all malicious codes need to be loaded into memory to execute [37]. Volatile memory forensic have been used to detect kernel-level rootkits in prior works [38,39,40,41]. Volatility [17] is now most commonly used memory forensic framework that can extract digital artifacts from volatile memory without interrupting the system being investigated. ...
Conference Paper
The container-based cloud computing service is increasingly adopted by many service providers for its efficiency and flexibility. Containers isolated by namespaces share OS kernel. When the kernel-level rootkits exploit vulnerabilities existing in kernel, the namespace can be invalidated leading to critical security incidents. Even though many traditional approaches have been made to detect kernel-level rootkits, it is hard to detect new attacks conducted in the new environment such as container-based cloud computing system. In this paper, we show some possible attack scenarios by kernel-level rootkits exploiting kernel namespaces and suggest key features that can be used to train machine learning and neural network models.
... Bootloader and kernel developers use dedicated low level interfaces like JTAG which allows them to stop the CPU and access the RAM memory. JTAG is also used by security researchers to perform forensic analysis of the device using for example JoKER ( Guri et al., 2015 ). Unfortunately it requires expensive equipment and direct access to device's PCB (Printed Circuit Board). ...
Article
Universal Serial Bus (USB) is currently one of the most popular standards that controls communication between personal computers (PCs) and their peripheral devices. Thus, it is important to establish whether such connections are properly secured especially when USB is used to connect devices like smartphones, tablets, etc. where sensitive user data can be potentially stored. For this reason, this paper evaluates security of the recent Android versions with respect to the USB-related attacks. In particular, we present a novel approach to compromise Android-based devices by exploiting Android Debug Bridge (ADB) protocol using Man in the Middle (MitM) attacks. Comprehensive analysis of those types of attacks have revealed five novel security vulnerabilities in the Android OS. Security gaps found in this paper cannot only be used to bypass the lock screen security and to gain unauthorized access to the user's private data but also to enable future ADB attacks by incorporating a backdoor to bypass phone security at any time. We also developed a tool which exploits all discovered vulnerabilities and can serve as a security mean to assess current ADB implementations as well as future protocol improvements. By disclosing new security weaknesses we want to raise security awareness of the users, researches, security professionals, and developers related to the USB-related attacks and to the threat they pose not only to PCs but also to the USB devices.
... Such an attack requires that the peripheral send malformed data to the CPU, causing the device driver to malfunction and thereby compromising the operating system kernel. Once the kernel is compromised, it is possible to disable detection and prevention of suspicious system activity, eavesdrop on sensors and on other applications, and most significantly operate on systems where only a partial software stack had been loaded, such as a device in charging, standby or even turned off state [16,17,11,18,19]. ...
Preprint
Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves. Third-party driver source code to support these components is integrated into the vendor's source code. In contrast to 'pluggable' drivers, such as USB or network drivers, the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy. As a result of this trust, very few integrity checks are performed on the communications between the component and the device's main processor. In this paper, we call this trust into question, considering the fact that touchscreens are often shattered and then replaced with aftermarket components of questionable origin. We analyze the operation of a commonly used touchscreen controller. We construct two standalone attacks, based on malicious touchscreen hardware, that function as building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations. Combining the two building blocks, we present and evaluate a series of end-to-end attacks that can severely compromise a stock Android phone with standard firmware. Our results make the case for a hardware-based physical countermeasure.
... Software-based detection also suffers from an inherent weakness in that it can be easily bypassed by malware. Static and dynamic detection of a malicious app in a smartphone is known to be a challenging task due to the wide range of code obfuscation and sandbox evasion techniques [43] [44]. Moreover, apps that request access to the magnetic sensor are very common (e.g., for positioning and orientation), and therefore they cannot automatically be classified as malicious. ...
Article
In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in airplane mode in order to block any communication with the device. We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. We present technical background, and discuss signal generation, data encoding, and signal reception. We show that the proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).
... Second, as long disabling the IR LEDs is done at the software level (e.g., by changing the default settings), malware can re-enable it again. Even if disabling the IR LEDs is done at the firmware level, the surveillance camera itself may be compromised by malware (e.g., firmware level rootkit [55]) that can override these settings [56] [26] [57] [58]. A less elegant countermeasure against exfiltration attacks is to physically disconnect the camera's IR LEDs, or cover them with black tape which blocks the optical emanation [19]. ...
Article
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.
... The most reliable detection of a compromise could be achieved through low-level instrumentation of the IoT devices, e.g. through JTAG or similar connections. The setup and maintenance of such instrumentation is possible, but expected to be challenging and expensive [16]. ...
Conference Paper
In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. In this work, we focus on the adaptation of Honeypots for improving the security of IoTs. Low-interaction honeypots are used so far in the context of IoT. Such honeypots are limited and easily detectable, and thus, there is a need to find ways how to develop high-interaction, reliable, IoT honeypots that will attract skilled attackers. In this work, we propose the SIPHON architecture - a Scalable high-Interaction Honeypot platform for IoT devices. Our architecture leverages IoT devices that are physically at one location and are connected to the Internet through so-called wormholes distributed around the world. The resulting architecture allows exposing few physical devices over a large number of geographically distributed IP addresses. We demonstrate the proposed architecture in a large scale experiment with 39 wormhole instances in 16 cities in 9 countries. Based on this setup, six physical IP cameras, one NVR and one IP printer are presented as 85 real IoT devices on the Internet, attracting a daily traffic of 700MB for a period of two months. A preliminary analysis of the collected traffic indicates that devices in some cities attracted significantly more traffic than others (ranging from 600 000 incoming TCP connections for the most popular destination to less than 50000 for the least popular). We recorded over 400 brute-force login attempts to the web-interface of our devices using a total of 1826 distinct credentials, from which 11 attempts were successful. Moreover, we noted login attempts to Telnet and SSH ports some of which used credentials found in the recently disclosed Mirai malware.
... Another solution may involve using host intrusion detection systems (HIDS) and host intrusion prevention systems (HIPS) to detect and prevent suspicious 'seek' pattern on HDDs. Such software based countermeasures can be evaded by malware and rootkits at the OS kernel [80] [81]. In addition, distinguishing between legitimate read, write, and seek operations and malicious ones may not be a trivial task. ...
Article
Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer's speakers. However, such acoustic communication relies on the availability of speakers on a computer. In this paper, we present 'DiskFiltration,' a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn't require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter on a personal computer and a receiver on a smartphone, and we provide the design and implementation details. We also evaluate our covert channel on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).
Article
Operational Technology (OT) systems have become increasingly interconnected and automated, consequently resulting in them becoming targets of cyber attacks, with the threat towards a range of critical national infrastructure (CNI) sectors becoming heightened. This is particularly the case for Industrial Control Systems (ICS), which control and operate the physical processes in CNI sectors such as water treatment, electrical generation and manufacturing. Unlike information technology (IT) systems, ICS have unique cyber-physical characteristics and related safety requirements, making them an attractive target for attacks given the physical consequences that can occur. As a result, the requirement to respond and learn from previous and new attacks is also increasing, with digital forensics playing a significant role in this process. The aim of this paper is to discuss the main issues and existing limitations related to ICS digital forensic. The field of ICS digital forensics is relatively under-developed and does not have the same levels of maturity as IT digital forensics. Although the amount of research on cyber security for ICS is increasing, many unique challenges still exist that pose as barriers to the development and deployment of ICS forensic capabilities. We provide an extensive discussion on these challenges, categorising them into technical, socio-technical, and operational and legal themes. Furthermore, the relationship between these challenge themes as well as the inter-challenge dependencies are also examined. Furthermore, this work discusses ICS forensic advances in relation to the digital forensics life chain, specifically forensic readiness and investigations. The areas of digital forensic training and processes models for ICS are given particular focus. Moreover, we assess the technologies and tools that have been either applied to or developed for ICS components and networks, giving special attention to forensic acquisition and analysis methods. An examination into the specific ICS digital forensic data sources and artefacts is also presented, highlighting that until recently, this was limited to descriptions of generic data formats. In addition, this paper provides an overview of several key ICS attacks, summarising the specific techniques used, data artefacts of interest, and proposing lessons learnt. Finally, this paper presents open discussions on future ICS digital forensics research directions and on-going issues, covering both short and long-term areas that can be addressed to improve the ICS digital forensics capability.
Conference Paper
The core part of the operating system is the kernel, and it plays an important role in managing critical data structure resources for correct operations. The kernel-level rootkits are the most elusive type of malware that can modify the running OS kernel in order to hide its presence and perform many malicious activities such as process hiding, module hiding, network communication hiding, and many more. In the past years, many approaches have been proposed to detect kernel-level rootkit. Still, it is challenging to detect new attacks and properly categorize the kernel-level rootkits. Memory forensic approaches showed efficient results with the limitation against transient attacks. Cross-view-based and integrity monitoring-based approaches have their own weaknesses. A learning-based detection approach is an excellent way to solve these problems. In this paper, we give an insight into the kernel-level rootkit characteristic features and how the features can be represented to train learning-based models in order to detect known and unknown attacks. Our feature set combined the memory forensic, cross-view, and integrity features to train learning-based detection models. We also suggest useful tools that can be used to collect the characteristics features of the kernel-level rootkit.
Article
Mobile smart devices are built of smaller components that are often fabricated by third-parties, and not by the device manufacturers themselves. Components such as sensors, radio transceivers, and touchscreen controllers are generally supplied to the manufacturers, along with driver software that facilitates communication between the component and the host device. Driver software is normally embedded within the operating system kernel, where it is trusted to behave within defined parameters. Since the hardware of the smart device is expected not to change frequently, the device driver source code implicitly assumes that the hardware of the component is authentic and trustworthy. Such trust permits driver designs with a lax approach towards the integrity and security of data exchanged between the main processor and the hardware component. In this paper, we question this trust in hardware components. Smart devices such as phones are often repaired with replacement components. Identifying and authenticating the source of these components is usually very difficult. We assume the threat consists of a malicious replacement touchscreen procured from an untrusted vendor. We construct two standalone attacks based on malicious touchscreen hardware. Our experiments demonstrate that these attacks allow an adversary to impersonate and eavesdrop on a user, exfiltrate data, and exploit the operating system, enabling the execution of privileged commands. For mitigating these and other similar attacks, we build and evaluate a machine-learning, hardware-based countermeasure capable of detecting abnormal communications with hardware components.
Chapter
People can obtain the highest privileges and control devices by Android root. However, an Android phone has been rooted, it is difficult for the user to update the Android system. Aiming at these problems, this paper proposes a maintaining root via custom Android kernel across Over-The-Air (OTA) upgrade. By customizing the kernel in boot and recovery, the boot will be replaced with rooted boot after updating automatically, so that system not only can be updated successfully but also maintain root. Experiments show that there is no abnormal between rooted mobile with a customized kernel and normal mobile during a minor system update.
Conference Paper
Android system versions update and iterate frequently with severe fragmentation. The distribution of the various Android versions’ market share is scattered, making system-level vulnerabilities’ risk extensive and serious. For the limitations of the present research, we design and implement a new comprehensive system-level vulnerability detection system VScanner. For the first time VScanner is based on Lua script engine as the core. It gives priority to dynamic detection by exploiting, and static detection by feature matching is complementary. Vulnerability trigger is developed by the form of plugins, and it bases on vulnerability taxonomy by POCAS, which shows good scalability. For system-level vulnerabilities, we have implemented 18 plugins, which all are system-level vulnerabilities in high risk. By experimental evaluation, VScanner has high efficiency, low false alarm rate, and good effects on vulnerability detection.
Conference Paper
Full-text available
The Android software stack for mobile devices defines and enforces its own security model for apps through its application-layer permissions model. However, at its foundation , Android relies upon the Linux kernel to protect the system from malicious or flawed apps and to isolate apps from one another. At present, Android leverages Linux discretionary access control (DAC) to enforce these guarantees , despite the known shortcomings of DAC. In this paper , we motivate and describe our work to bring flexible mandatory access control (MAC) to Android by enabling the effective use of Security Enhanced Linux (SELinux) for kernel-level MAC and by developing a set of middleware MAC extensions to the Android permissions model. We then demonstrate the benefits of our security enhancements for Android through a detailed analysis of how they mitigate a number of previously published exploits and vulnerabilities for Android. Finally, we evaluate the overheads imposed by our security enhancements.
Conference Paper
Full-text available
Mobile phone forensic has become more prominent since the mobile phones apparently become ubiquitous both for personal and business practice. Android smartphone shows tremendous growth in the global market share and will shows it predominant in the future. Many researches and works show the procedure and technique for acquire and analyse the non-volatile memory in the mobile phone. On the other hand, the physical memory (RAM) on the smartphone might retain the incriminating evidence that should be acquired and analysed by the examiner. It is obvious if the examiner should prioritise the acquisition of the volatile memory, due to its volatile condition and order of volatility. The work reveals the proper procedure for acquire the volatile memory in Android smartphone and discuss the use of Linux Memory Extraction (LiME) for dumping the volatile memory. The correct procedure and tools with regard with forensically sound manner is critical in every aspect of digital forensic. Therefore, the work documents the reasons and proofs that support such claim. The work also discuss the analysis process of the memory image with Volatility 2.3, especially how the application shows its capability analysis. Despite of its advancement there are two major concerns for both applications. First, examiners have to gain root privileges before they could execute LiME. Second, both applications have no generic solution or approach. On the other hand, currently there is no other tool or option that might give the same result as LiME and Volatility 2.3.
Article
Full-text available
Smart devices equipped with powerful sensing, computing and networking capabilities have proliferated lately, ranging from popular smartphones and tablets to Internet appliances, smart TVs, and others that will soon appear (e.g., watches, glasses, and clothes). One key feature of such devices is their ability to incorporate third-party apps from a variety of markets. This poses strong security and privacy issues to users and infrastructure operators, particularly through software of malicious (or dubious) nature that can easily get access to the services provided by the device and collect sensory data and personal information. Malware in current smart devices –mostly smartphones and tablets– have rocketed in the last few years, in some cases supported by sophisticated techniques purposely designed to overcome security architectures currently in use by such devices. Even though important advances have been made on malware detection in traditional personal computers during the last decades, adopting and adapting those techniques to smart devices is a challenging problem. For example, power consumption is one major constraint that makes unaffordable to run traditional detection engines on the device, while externalized (i.e., cloud-based) techniques rise many privacy concerns. This article examines the problem of malware in smart devices and recent progress made in detection techniques. We first present a detailed analysis on how malware has evolved over the last years for the most popular platforms. We identify exhibited behaviors, pursued goals, infection and distribution strategies, etc. and provide numerous examples through case studies of the most relevant specimens. We next survey, classify and discuss efforts made on detecting both malware and other suspicious software (grayware), concentrating on the 20 most relevant techniques proposed between 2010 and 2013. Based on the conclusions extracted from this study, we finally provide constructive discussion on open research problems and areas where we believe that more work is needed.
Article
Full-text available
The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators.
Conference Paper
Full-text available
Increasing adoption of smartphones in recent times has begun to attract more and more malware writers towards these devices. Among the most prominent and widely adopted open source software stacks for smartphones is Android that comes with a strong security infrastructure for mobile devices. However, as with any remote platform, a service provider or device owner needs assurance that the device is in a trustworthy state before releasing sensitive information to it. Trusted Computing provides a mechanism of establishing such an assurance. Through remote attestation, tc allows a service provider or a device owner to determine whether the device is in a trusted state before releasing protected data to or storing private information on the phone. However, existing remote attestation techniques cannot be deployed on Android due to the unique, vm-based architecture of the software stack. In this paper, we present an attestation mechanism tailored specifically for Android that can measure the integrity of a device at two levels of granularity. Our approach allows a challenger to verify the integrity of Android not only at the operating system level but also that of code executing on top of the vm. We present the implementation details of our architecture and show through evaluation that our architecture is feasible both in terms of time complexity and battery consumption.
Article
Android with linux kernel is on its way to be a standard platform of various smart devices. Therefore, Android platform based linux kernel rootkit will be a major security threat to smart phones, tablet PCs, smart TVs and so on. Although there is an urgent need of remedy for this threat, no solution or even a suitable study has been announced. In this paper, we are going to depict some rootkits which exploit android kernel by taking advantage of LKM(loadable kernel module) and /dev/kmem device access technology and discuss the danger the rootkit attack would bring.
Article
A rootkit is code that is used by an attacker to keep the legitimate users and administrators of a system unaware of the code, and thus the attackers, presence on the compromised system. This paper will discuss the history of rootkits specifically focusing on the evolution of the rootkit from the basic modification of system binaries to the cutting edge research being conducted today. A discussion of each type of rootkit will be followed by an overview of rootkit detection techniques and how to know when a rootkit has been deployed. Finally we will analyze the impact that rootkits have on the digital forensics process. From live state evidence acquisition to using the rootkit data as a source of evidence itself, the impact on the digital forensic realm is important to understanding the potential pitfalls when conducting an incident response or presenting evidence in a court of law.
Article
Google's Android framework incorporates an operating system and software stack for mobile devices. Using a general-purpose operating system such as Linux in mobile devices has advantages but also security risks. Security-Enhanced Linux (SELinux) can help reduce potential damage from a successful attack.
Article
This paper describes how to use JTAG (JTAG: Joint Test Action Group, also called boundary-scan) for producing a forensic image (image: an one-on-one copy of data found on an exhibit) of an embedded system. A JTAG test access port is normally used for testing printed circuit boards or for debugging embedded software. The method described in this paper uses a JTAG test access port to access memory chips directly. By accessing memory chips directly, the risk of changing data in the exhibit is minimized. Also user level passwords can be omitted.
com/analysis/kaspersky- security-bulletin/58265/kaspersky-security-bulletin- 2013-overall-statistics-for-2013
  • Available
Available: http://securelist.com/analysis/kaspersky- security-bulletin/58265/kaspersky-security-bulletin- 2013-overall-statistics-for-2013/. [Accessed 29 11 2014].
Oldboot: the first bootkit on Android Qihoo 360 Technology Co. Ltd, 17 1 2014
  • Z Xiao
  • Q Dong
  • H Zhang
  • X Jiang
Z. Xiao, Q. Dong, H. Zhang and X. Jiang, "Oldboot: the first bootkit on Android," Qihoo 360 Technology Co. Ltd, 17 1 2014. [Online]. Available: http://blogs.360.cn/360mobile/2014/01/17/oldboot-the- first-bootkit-on-android/. [Accessed 8 12 2014].
QSEE TrustZone Kernel Integer OverflowAndroid platform based linux kernel rootkit
  • D Rosenberg
D. Rosenberg, "QSEE TrustZone Kernel Integer Overflow," BlackHat, 2014. [7] D.-H. You and B.-N. Noh, "Android platform based linux kernel rootkit," in Malicious and Unwanted Software (MALWARE), Fajaro, 2011.
  • H S K W Y J J J S Sun
H. S. K. W. Y. J. J. &. J. S. Sun, "TrustDump: Reliable Memory Acquisition on Smartphones," in ESORICS, 2014.
Android forensics techniques. International Academy of Design and Technology
  • Z R I Jovanovic
Z. R. I. Jovanovic, "Android forensics techniques. International Academy of Design and Technology," 2012.
L4Android: a generic operating system framework for secure smartphones
  • M E Lange
M. e. a. Lange, "L4Android: a generic operating system framework for secure smartphones," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices., 2011.
VMM based rootkit detection on Android
  • A B P S E Kunk
A. B. P. &. S. E. Kunk, "VMM based rootkit detection on Android.," in University of Illinois at Urbana Champaign, May 2010.
The VMware mobile virtualization platform: is that a hypervisor in your pocket?
  • P B S. D. V. G. P. H. C. N. H. T B Z Barr
P. B. S. D. V. G. P. H. C. N. H. T. a. B. Z. Ken Barr, "The VMware mobile virtualization platform: is that a hypervisor in your pocket?," in SIGOPS Oper. Syst. Rev. 44, 4, 124-135, 2010.
PRACTICE Script Language Reference Guide
  • L Gmbh
L. GmbH, "PRACTICE Script Language Reference Guide," 2 2014. [Online]. Available: http://www2.lauterbach.com/pdf/practice_ref.pdf. [Accessed 1129 2014].
Widipedia (Slab_allocation)," [Online
  • Wikipedia
Wikipedia, "Widipedia (Slab_allocation)," [Online].